Access control forms the backbone of cybersecurity, ensuring that only authorized users can interact with specific resources within a system. This article provides an overview of the principles and implementation of access control, with insights from Gollmann’s chapters on Access Control, the Bell-LaPadula Model, and Security Models.
What is Access Control?
Access control is the mechanism by which systems regulate who can access what resources and under what conditions. Its primary goals include safeguarding confidentiality, ensuring integrity, and maintaining the availability of resources.
Key Concepts in Access Control
1. Access Control Fundamentals (Chapter 5)
This chapter explores the core principles and mechanisms that define access control:
- Authentication and Authorization:
Authentication verifies user identity, while authorization determines the access level assigned to the authenticated user. - Access Modes:
Interaction between subjects (users) and objects (resources) can include:- Read: Access to retrieve data from an object.
- Write: The ability to modify or append data to an object.
- Execute: Permission to run executable files or programs.
- Access Control Mechanisms:
These are the methods by which systems enforce access policies:- Access Control Lists (ACLs): Define which users or groups can access an object and what actions they can perform.
- Capabilities: Assign access rights directly to users or processes.
2. Bell-LaPadula Model (Chapter 11)
The Bell-LaPadula model is a cornerstone in security, designed to enforce confidentiality within systems. Its two primary rules are:
- Simple Security Property (“No-Read-Up”):
A subject cannot read data from a higher security level than its own. - Star (*) Property (“No-Write-Down”):
A subject cannot write data to a lower security level, preventing sensitive information from leaking.
Applications:
The Bell-LaPadula model is widely used in government and military systems where confidentiality is paramount.
3. Security Models (Chapter 12)
This chapter reviews additional models that address confidentiality, integrity, and secure information flow.
- Biba Model:
- Focuses on integrity, ensuring that data is not tampered with.
- Implements “No-Read-Down” and “No-Write-Up” rules.
- Clark-Wilson Model:
- Emphasizes well-formed transactions and separation of duties to maintain data integrity.
- Chinese Wall Model:
- Prevents conflicts of interest by restricting access based on previously accessed information.
- Harrison-Ruzzo-Ullman Model:
- Examines how access rights can be dynamically created and revoked in systems.
Real-World Access Control Practices
Discretionary Access Control (DAC):
Users control access to their resources. Widely implemented in commercial systems like Unix.
Mandatory Access Control (MAC):
Access is determined by the system, independent of the user’s identity. Common in government systems.
Role-Based Access Control (RBAC):
Permissions are assigned based on organizational roles.
Attribute-Based Access Control (ABAC):
Access decisions are made based on attributes like user location, device type, or time of access.
Conclusion
Understanding access control and its associated models, such as the Bell-LaPadula and Biba models, is essential for implementing robust security systems. By studying concepts from Gollmann’s chapters on access control and security models, professionals can design systems that uphold confidentiality, integrity, and secure data flow.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.